Search form

New Mexico Enacts Data Breach Notification Act

By Jason C. Gavejian
  • April 19, 2017

New Mexico has become the 48th state to enact a data breach notification law requiring that individuals be notified of security breaches of information involving personal identifying information. Governor Susana Martinez signed HB 15 on April 6, 2017. The new law follows the same general structure of many of the breach notification laws in other states. It will become effective on June 16, 2017.

The three key components of the Act are:

  • Disposal of Personal Identifying Information (PII);
  • Security Measures for Storage of PII; and
  • Notification of a Security Breach.

This leaves Alabama and South Dakota as the only states that have not enacted a data breach notification legislation.

Personal Identifying Information

Under New Mexico’s Data Breach Notification Act, PII means an individual’s first name or first initial and last name in combination with one or more of the following data elements that relate to the individual, when the data elements are not protected through encryption or redaction or otherwise rendered unreadable or unusable:

  • Social Security number;
  • driver’s license number;
  • government-issued identification number;
  • account number, credit card number, or debit card number in combination with any required security code, access code, or password that would permit access to a person’s financial account; or
  • biometric data.

Biometric data is defined as “a record generated by automatic measurements of an identified individual’s fingerprints, voice print, iris or retina patterns, facial characteristics or hand geometry that is used to uniquely and durably authenticate an individual’s identity when the individual accesses a physical location, device, system or account.”

Some states (including Illinois) have implemented or amended their own data breach notification laws to include elements such as biometric data.

Disposal of PII

Under the Act, organizations must arrange for the proper disposal of records containing the PII of New Mexico residents when the records are no longer reasonably needed for business purposes. Proper disposal means shredding, erasing, or otherwise modifying the PII contained in the records to be unreadable or undecipherable.

Security Measures for Storage of PII

Organizations must implement and maintain — and contractually require their service providers and vendors to implement and maintain — reasonable security procedures and practices to protect the PII they own or license from unauthorized access, destruction, use, modification, or disclosure. Unlike California, New Mexico has not yet provided guidance on what constitutes reasonable security procedures and practices. Nevertheless, all organizations should implement safeguards to protect the personal and company information they maintain.

Notification of Security Breach

In the event of a breach, the Act states:

  • Notification must be provided to each New Mexico resident within 45 calendar days following discovery of the breach.
  • If the person maintains or possesses PII of a New Mexico resident (but is not the owner or licensee), notification must be provided to the owner or licensee of the PII within 45 calendar days following discovery of the breach.
  • Notification to each New Mexico residents must include:
    • The name and contact information of the notifying person;
    • A list of the types of PII reasonably believed to have been subject to the breach;
    • The date(s), or estimated dates(s), of the breach;
    • A general description of the breach;
    • The toll-free numbers and addresses of the major consumer reporting agencies;
    • Advice directing the recipient to review account statements and credit reports to detect errors; and
    • Advice informing the recipient of his or her rights pursuant to the federal Fair Credit Reporting Act.
  • In the event of a breach affecting more than 1,000 New Mexico residents, notification must be provided to the New Mexico Attorney General and the major consumer reporting agencies within 45 calendar days following discovery of the breach. Such notice must include a copy of the notification sent to affected residents.
  • Notification may be delayed at the request of law enforcement or as necessary to determine the scope of the breach and restore the integrity, security, and confidentiality of the system.
  • Notification is not required if, after an appropriate investigation, the person determines the breach “does not give rise to a significant risk of identity theft of fraud.” This is known as a risk of harm trigger.
  • The Act does not apply to a person subject to Gramm-Leach-Bliley Act (GLBA) or Health Insurance Portability and Accountability Act (HIPAA).

Enforcement

Under the Act, the New Mexico Attorney General may bring an action for injunctive relief and award of damages for actual costs or losses, including consequential financial losses. If a violation of the Act is found to be knowing or reckless, a court may impose a civil penalty of the greater of $25,000 or, in the case of failed notification, $10 per instance of failed notification up to a maximum of $150,000.

***

Breach notification laws continue to evolve. It is imperative for organizations to be prepared to respond appropriately. If you need assistance with a data incident or data breach, please contact our 24/7 Data Incident Response Team at 844-544-5296 or breach@jacksonlewis.com.

Jackson Lewis attorneys are available to answer questions about data security safeguards and other issues.

©2017 Jackson Lewis P.C. This Update is provided for informational purposes only. It is not intended as legal advice nor does it create an attorney/client relationship between Jackson Lewis and any readers or recipients. Readers should consult counsel of their own choosing to discuss how these matters relate to their individual circumstances. Reproduction in whole or in part is prohibited without the express written consent of Jackson Lewis.

This Update may be considered attorney advertising in some states. Furthermore, prior results do not guarantee a similar outcome.

Jackson Lewis P.C. represents management exclusively in workplace law and related litigation. Our attorneys are available to assist employers in their compliance efforts and to represent employers in matters before state and federal courts and administrative agencies. For more information, please contact the attorney(s) listed or the Jackson Lewis attorney with whom you regularly work.

See AllRelated Articles You May Like

January 30, 2017

Top 10 for Data Privacy Day 2017

January 30, 2017

In honor of Data Privacy Day, we provide the following “Top 10 for 2017,” a list of critical areas in data privacy that businesses should know about. While not exhaustive, the list points out hot topics on data privacy and security for organizations to consider in 2017. 1. Phishing Attacks and Ransomware Phishing, as... Read More

January 17, 2017

Increasing Ransomware Attacks in Higher Education

January 17, 2017

Malicious “ransomware” attacks — where a hacker takes control of the victim’s information systems and encrypts data, preventing the owner from accessing it until the victim pays a sum of money — are on the rise against colleges and universities. Higher education institutions are well-advised to increase... Read More

January 10, 2017

2017: The Year Ahead for Employers

January 10, 2017

An executive summary of recent changes in workplace law and a look ahead to 2017. Read More